Spotify DRM hole exploited by MP3-ripping Chrome extension

Spotify issues patch after extension pulled from Chrome Web Store.

A Chrome browser extension that lets anyone rip music from Spotify at the click of a mouse has exposed a flaw in the security of Spotify's library.

Spotted by Dutch siteTweakers, Downloadify takes advantage of an apparent oversight in Spotify's music library. When using Spotify's web player, Downloadify lets users with a paid subscription click on any song and rip it as a DRM-free MP3 to their computer.

The normal Spotify application encrypts the music that it streams, so it looks like this comes down to an oversight of some kind on Spotify's part. When contacted for comment, Spotify told Wired.co.uk: "We are aware of the issue and are currently working on a fix." (The exploit was patched after this article was published on Wired UK.)

Meanwhile, Google has taken the plugin down from the Chrome Web Store only a day after its May 7 launch, but, as The Verge has noted, it's still readily available to download from Github as of the time of writing.

Several sites do exist purely to point out that you can "rip" music from Spotify quite easily by just recording from the audio out jack (or a tape deck held up to the speakers, if you want to do it old school), but anything a user does to make "copying, reproducing, 'ripping,' recording" is explicitly forbidden by Spotify's terms and conditions.

53 Reader Comments

There are a TON of firefox extensions that do this for many sites, primarily Youtube. It doesn't appear that Mozilla polices this very closely. Youtube occasionally tries to change their encryption, but the plugins get updated. Its pretty much "If you can hear it, it can be ripped".

YouTube's not encrypting, it's just streaming un-DRM'd video and using internal APIs. People who make these apps and extensions scrape the site to come up with something, then try to keep it updated when YouTube changes their internals.

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

I've seen extensions that do this for Soundcloud, Youtube, and loads of other sites as well. Honestly it's not the easiest way to get hold of a song and really only useful for something you absolutely can't find anywhere else. There will always be ways to make copies of songs without buying them if you're really dedicated. Just another reminder of how the solution is to keep finding ways to make "legit" methods convenient and affordable so people don't bother (as well as finding other ways to make money from your music than selling copies of recordings).

In the old days I recall installing software that acted like an audio driver.

In the old days, I recall waiting all day for a song to play on the radio so I could record it on cassette.

Oh, how things have changed.

And then when you finally get to record it, the DJ ruins it by saying something at the end of the song.

That is the non-explicit function of DJs, of course. To make it impossible to get a good recording out of a radio airing by chattering on the start and end of it. Additionally, radio versions are often shortened versions missing an entire verse (or more), or having one or two words bleeped out (like Alanis Morissette having the word "chickenshit" noticeably shortened to "chicken").

Oh, and radio stations only ever air one or two songs per artist. You'd think that Green Day was a contemporary soft rock group since radios only ever air Good Riddance, the closest thing they've ever done to a mainstream top 40 song.

Additionally, radio versions are often shortened versions missing an entire verse (or more), or having one or two words bleeped out (like Alanis Morissette having the word "chickenshit" noticeably shortened to "chicken").

"What It's Like" by Everlast plays on the radio here all the time, and like a third of the song is missing; the radio edit covers things up with record scratches and other sound effects. The words removed are some swears, things like the word "whore", "drugs" and the phrase "Colt .45". Really aggressive radio editing.

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

If you're tech-savvy enough, it's not that hard to do it using Audacity.

In the old days I recall installing software that acted like an audio driver.

In the old days, I recall waiting all day for a song to play on the radio so I could record it on cassette

…in the snow.

...12 miles away, uphill on the way there and on the way back!

Butt-ass naked with rottweilers chasing you.

You were lucky. We lived for three months in a paper bag in a septic tank. We used to have to get up at six in the morning, clean the paper bag, eat a crust of stale bread, go to work down t' mill, fourteen hours a day, week-in week-out, for sixpence a week, and when we got home our Dad would thrash us to sleep wi' his belt.

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

Back when you could just load unsigned kernel drivers, there wasn't anything stopping you from using a virtual audio device(except for the fact that you are getting uncompressed output, which is either huge or needs to be recompressed).

Starting with Windows Vista, MS provided the option for a media playback application to demand a 'protected path', with every software component and device driver in the output chain signed by microsoft and subject to licensing requirements about DRM adherence and tamper resistance. In the event of a breach or vulnerability, the signature could be revoked, and the presence of any unsigned or revoked component in the media path would cause the OS to report to the application that no protected path was available.

This would include virtual audio devices, unless you were atypically sneaky about it.

I don't think that uptake has been all that aggressive, it's just too much of a pain in the ass in order to prevent something that is little more than an analog-hole attack; but it theoretically precludes the use of faked output devices.

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

Back when you could just load unsigned kernel drivers, there wasn't anything stopping you from using a virtual audio device(except for the fact that you are getting uncompressed output, which is either huge or needs to be recompressed).

Starting with Windows Vista, MS provided the option for a media playback application to demand a 'protected path', with every software component and device driver in the output chain signed by microsoft and subject to licensing requirements about DRM adherence and tamper resistance. In the event of a breach or vulnerability, the signature could be revoked, and the presence of any unsigned or revoked component in the media path would cause the OS to report to the application that no protected path was available.

This would include virtual audio devices, unless you were atypically sneaky about it.

I don't think that uptake has been all that aggressive, it's just too much of a pain in the ass in order to prevent something that is little more than an analog-hole attack; but it theoretically precludes the use of faked output devices.

Who cares? You cant stop piracy, but if your product is good enough that the vast majority of people are paying for it, does it really matter?

The music industry might. Not saying they *should*, mind you, but they might believe this kind of loophole would cost them sales, and thus yank their songs off of Spotify while still providing the public with DRM-free high quality source material via CDs, iTunes, Amazon Music, eMusic et. al.

(Hey, I never said it'd be a *sensible* idea to pull the stuff off of Spotify, only that I wouldn't be surprised to see it happen.)

Who cares? You cant stop piracy, but if your product is good enough that the vast majority of people are paying for it, does it really matter?

The music industry might. Not saying they *should*, mind you, but they might believe this kind of loophole would cost them sales, and thus yank their songs off of Spotify while still providing the public with DRM-free high quality source material via CDs, iTunes, Amazon Music, eMusic et. al.

(Hey, I never said it'd be a *sensible* idea to pull the stuff off of Spotify, only that I wouldn't be surprised to see it happen.)

The music industry will not be satisfied until everyone pays for any song they hear, even if it's shopping mall music played on the loudspeakers on the street outside or a passing car with its radio on too loud.

I'm pretty sure they're researching on ways to either bill you for music you remember, or delete it from your head so you have to hear it all over every time you want to enjoy it, no more filthy long-term memory pirating away the music industry precious, precious profits! <Gollum> Precioussssssssss </Gollum>

You were lucky. We lived for three months in a paper bag in a septic tank. We used to have to get up at six in the morning, clean the paper bag, eat a crust of stale bread, go to work down t' mill, fourteen hours a day, week-in week-out, for sixpence a week, and when we got home our Dad would thrash us to sleep wi' his belt.

Luxury. We dreamed of living in a septic tank, and every morning our dad would kill us, before sending us off to slave away for the music industry, trying to stop Justin Timberlake from founding Napster, while dead.

Of course recording stuff from the radio onto MP3s for your own use is *still legal*

So is playing the radio in a public place loudly enough for someone to hear.

Hopefully the RIAA will adopt the techniques of HDMI to have a fully encrypted connection all the way to the loudspeaker. Speakers will, like monitors and TVs, become sealed devices with sealed decryption chips that are very close to the actual audio element that produces sound.

Of course, all of this is just a short term fix. The ideal long term solution is for Google Glass to be permanently affixed at birth, and have it automatically charge your credit card whenever you see or hear anything copyrighted.

That will satisfy the MPAA / RIAA for awhile, until brain chip implant technology is worked out.

Not to give the secret away but...any VOIP protocol that allows recording with the sound input setting at "What you hear" will let you record virtually anything you can play on your computer. At fairly high bitrate too, if that's a concern.

It's kind of silly to pretend it's hard to record pretty much whatever you want whenever you want with a little bit of effort. The law actually protects this (sort of) activity, although I'm sure Spotify would allege this negatively impacts their bottom line and it's probably verboten in their user agreement. I don't use Spotify so I don't know.

In the old days I recall installing software that acted like an audio driver.

In the old days, I recall waiting all day for a song to play on the radio so I could record it on cassette.

And you were generally happy to have at least 2 minutes of the song, as long as it had the hook and at least 1 verse

In my day you could get entire albums off the radio. There was a radio show on one of the local stations that would play entire albums from start to finish.

As far as "top of the pops" stuff goes. If it was popular at the time then you were never in the position of waiting for very long for your song to be replayed again. Multiple stations would likely accommodate you too.

Additionally, radio versions are often shortened versions missing an entire verse (or more), or having one or two words bleeped out (like Alanis Morissette having the word "chickenshit" noticeably shortened to "chicken").

"What It's Like" by Everlast plays on the radio here all the time, and like a third of the song is missing; the radio edit covers things up with record scratches and other sound effects. The words removed are some swears, things like the word "whore", "drugs" and the phrase "Colt .45". Really aggressive radio editing.

I've heard multiple versions of even those edits. Can't think off the top of my head but I've heard some that scratch out about every other word, and others that pretty much just handle whore and shit.

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

But any "analog hole" method still leaves you with another layer of lossy compression. I mean, sure I can throw a camcorder in front of my TV to record Game of Thrones, but the folks on the interwebs will laugh at me when I try to post it online because the quality will be crap.

I too thought that Spotify used OGG, which would mean that this was just re-encoding the rendered audio stream? Color me uninterested. Unless it really was coughing up the decrypted (but still compressed) stream...that might be worth looking at.

Additionally, radio versions are often shortened versions missing an entire verse (or more), or having one or two words bleeped out (like Alanis Morissette having the word "chickenshit" noticeably shortened to "chicken").

"What It's Like" by Everlast plays on the radio here all the time, and like a third of the song is missing; the radio edit covers things up with record scratches and other sound effects. The words removed are some swears, things like the word "whore", "drugs" and the phrase "Colt .45". Really aggressive radio editing.

I've heard multiple versions of even those edits. Can't think off the top of my head but I've heard some that scratch out about every other word, and others that pretty much just handle whore and shit.

The aggressively destroyed song isn't even worth hearing.

Celo Green's horrific whitewashed radio-friendly version of "F*** You" into "Forget You" is a pretty good reminder that this is pretty much how radio functions. Hey, here we have an edgy song that uses a swear word in every single line! Let's play it on the radio, but remove the edge! That's like a bloody caesar without vodka or Worcestershire. All the pointless bland flavor of straight-up clamato!

In the old days I recall installing software that acted like an audio driver. Setting your sound output to this 'device' would then allow you to record any audio played on your PC. I don't think any encryption scheme could prevent that, short of having DRM controlled decryption chips installed in users' ear canal. I've said too much.

If you're tech-savvy enough, it's not that hard to do it using Audacity.

If by tech-savvy you mean plugging and 1/8" Male to Male cable from your audio in to your audio out and hitting record, then yes. I'm sure my grandmother would have trouble doing that, especially if the input was set to external mic. It's very simple to do it just takes more time.

For years I've been hearing nonsense about how it's artists and the music industry's fault that their work gets pirated because they haven't taken advantage of "new media" and adjusted to the "modern marketplace" to make their works easily and legally available online.

Starting with Windows Vista, MS provided the option for a media playback application to demand a 'protected path', with every software component and device driver in the output chain signed by microsoft and subject to licensing requirements about DRM adherence and tamper resistance. In the event of a breach or vulnerability, the signature could be revoked, and the presence of any unsigned or revoked component in the media path would cause the OS to report to the application that no protected path was available.